GDPR (8) Legal basis for processing personal data
When preparing records of personal data processing operations, it is advisable for controllers to document the legal basis in the records although this is not a requirement. In order for the data to be used legally, the processing operation must have a specific purpose and a demonstrable legal basis. Moreover, the processing operation must comply with the rules on proportionality and subsidiarity, which means it must be necessary and be proportionate to the purpose.
The GDPR provides for a number of potential legal bases, which are not applicable in all cases. Before you start a processing operation, it is important to carefully consider your legal basis. This procedure must be documented and may play an important role later on in the event of any disputes or complaints.
The clearest, most specific instructions provided by the GDPR in relation to the legal basis concern the data subject’s consent, which we will discuss in detail in the next instalment of this blog.
Other legal bases can also be relied on. The data may be required for the implementation or preparation of a contract. All sorts of personal data are required in the context of the relationship between a customer and a supplier, first and foremost of which are contact details, but in the B2C world payment data and financial information are also frequently required. This legal basis provides adequate justification insofar as the processed information is demonstrably required in order to conclude the contract or provide the agreed service.
A legal obligation can also provide the basis for processing personal data. This may be an obligation under European or national legislation that requires companies to disclose information to the government. This is the case for companies including banks, insurers and airlines.
The public interest can also provide a legal basis, for example if the government agrees organisational arrangements with companies for tax administration purposes. This legal basis also allows the collection of data for scientific or historical research purposes. The tasks of the public authorities are also covered by the public interest.
Moreover, the law provides that you may use the personal data of a data subject or another natural person in matters concerning vital interests (i.e. literally a matter of life or death). In that case, you must act in the interests of an individual person with sufficient common sense.
The last legal basis is the legitimate interest of the controller or a third party. This is not applicable to public authorities. If you rely on this legal basis, you must always make this clear and you must always weigh your interests carefully against the data subjects’ right to privacy. This must be clearly explained and demonstrated in your own records and in the privacy statements you draw up by way of explanations for the data subjects. A purely economic interest is no longer an adequate justification, and the processing operation must be necessary. It should be noted that this legal basis is the weakest. The GDPR specifically demands that additional attention be paid to the processing of data about children (up to the age of 16). This requires the consent of the parents, which is not so easy to arrange.
Even stricter rules apply to the processing of special categories of personal data. The processing of this kind of data is prohibited except in specific cases, which are set out in the GDPR.
These specific cases can be summarised as follows:
- If the data subjects have explicitly given their consent
- If the data concerned are already publicly available as they have been manifestly made public by the relevant data subject
- If this is done under employment legislation (all kinds of data need to be processed in connection with social security, legal requirements and contractual agreements)
- If a vital interest is involved and the data subject is unable to give consent (this often specifically concerns the use or transfer of medical data)
- If processing is carried out for non-profit associations and charitable organisations, to the extent that the processing concerns the lawful use of data about members, former members or persons with whom the relevant association or organisation is in regular contact
- If processing is carried out for foundations, trade unions or political or religious organisations (with political, philosophical or religious aims)
- In the case of data concerning offences or criminal matters, data may be processed only by public authorities or in those cases provided for by law (EU or national). Each country may impose its own limitations. Criminal law is a national matter and is not laid down in the GDPR.
- If the data are required as part of legal proceedings
- In a number of cases where this is necessary for reasons of public interest:
- in the event of a substantial public interest, and when covered by EU or national legislation that also protects the rights of the individual
- in the context of healthcare (medical diagnosis; data for the organisation of health or social care systems and services; assessments of the health of employees; testing of medicines)
- in the event that the data are required for scientific or historical research purposes or archiving purposes, in which case you need to take the necessary protective measures (research results can be anonymised or pseudonymised, for instance).
In every case, important grounds for processing personal data are always required. The legal grounds provided by the data subject’s consent and the legitimate interest of the controller will be discussed in future instalments of this blog.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.